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Abstract 

We consider the following model repair problem: given a finite 
Kripke structure M and a specification formula 77 in some modal or 
temporal logic, determine if M contains a substructure M' (with the 
same initial state) that satisfies rj. Thus, M can be "repaired" to 
satisfy the specification 77 by deleting some transitions. 

We map an instance (M, 77) of model repair to a boolean formula 
Tepair{M,ri) such that (M^rj) has a solution iff repair{M,r]) is satis- 
fiablc. Furthermore, a satisfying assignment determines which transi- 
tions must be removed from M to generate a model M' of 77. Thus, 
we can use any SAT solver to repair Kripke structures. Furthermore, 
using a complete SAT solver yields a complete algorithm: it always 
finds a repair if one exists. 

We extend our method to repair finite-state shared memory concur- 
rent programs, to solve the discrete event supervisory control problem 
[m [19] , to check for the existence of symmettric solutions [12] , and 
to accomodate any boolean constraint on the existence of states and 
transitions in the repaired model. 

Finally, we show that model repair is NP-complete for CTL, and 
logics with polynomial model checking algorithms to which CTL can 
be reduced in polynomial time. A notable example of such a logic is 
Alternating-Time Temporal Logic (ATL). 
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1 Introduction and Motivation 



Counterexample generation in model checking produces an example behav- 
ior that violates the formula being checked, and so facilitates debugging 
the model. However, there could be many counterexamples, and they may 
have to be dealt with by making different fixes manually, thus increasing 
debugging effort. In this paper we deal with all counterexamples at once, by 
"repairing" the model: we present a method for automatically fixing Kripke 
structures and shared memory concurrent programs with respect to CTL 
[llj and ATL [T] specifications. 

Our contribution. We first present a "subtractive" repair algorithm: 
fix a Kripke structure only by removing transitions and states (roughly 
speaking, those transitions and states that "cause" violation of the spec- 
ification). If the initial state is not deleted, then the resulting structure (or 
program) satisfies the specification. We show that this algorithm is sound 
and relatively complete. An advantage of subtractive repair is that it does 
not introduce new behaviors, and thus any missing (i.e., not part of the 
formula being repaired against) conjuncts of the specification that are ex- 
pressible in a universal temporal logic (no existential path quantifier) are 
still satisfied (if they originally were). Hence we can fix w.r.t. incomplete 
specifications. 

We also extend the subtractive repair method in several directions: to ac- 
commodate the addition of states and transitions, to solve the discrete event 
supervisory control problem |181ll9j. to accommodate arbitrary boolean con- 
straints on the existence of states and transitions in the repaired model, and 
to repair atomic read/write shared memory concurrent programs. Finally, 
we show that the model repair problem is NP-complete. 

Formally, we consider the model repair problem: given a Kripke structure 
M and a CTL or ATL formula does there exist a substructure M' of M 
(obtained by removing transitions and states from M) such that M' satisfies 
?7? In this case, we say that M is repairable w.r.t, rj, or that a repair exists. 

Our algorithm computes (in deterministic time polynomial in the size 
of M times the size of rj) a propositional formula repair{M,rj) such that 
repair {M.rf) is satisfiable iff M contains a substructure M' that satisfies 
r/. Furthermore, a satisfying assignment for repair{M.rj) determines which 
transitions must be removed from M to produce M' . Thus, a single run of a 
complete SAT solver is sufficient to find a repair, if one exists. Our approach 
leverages the research investment in SAT solvers to attack the model repair 
problem. 

Soundness of our repair algorithm means that the resulting M' (if it ex- 
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ists) satisfies rj. Completeness means that if the initial structure M contains 
a substructure that satisfies r], then our algorithm will find such a substruc- 
ture, provided that a complete SAT solver is used to check satisfaction of 
repair (M .T]) . 

While our method has a worst case running time exponential in the num- 
ber of global states, this occurs only if the underlying SAT solver uses expo- 
nential time. SAT-solvers have proved to be efficient in practice, as demon- 
strated by the success of SAT-solver based tools such as Alloy, NuSMV, 
and Isabelle/HOL. The success of SAT solvers in practice indicates that our 
method will be applicable to reasonable size models, just as, for example, 
Alloy [H] is. 

Related work. The use of transition deletion to repair Kripke struc- 
tures was suggested in [U [5] in the context of atomicity refinement: a large 
grain concurrent program is refined naively (e.g., by replacing a test and set 
by the test, followed nonatomically by the set). In general, this may intro- 
duce new computations (corresponding to "bad inter leavings" ) that violate 
the specification. These are removed by deleting some transitions. 

The use of model checking to generate counterexamples was suggested 
by Clarke et. al. [9] and Hojati et. al. [H]. [9] presents an algorithm for gen- 
erating counterexamples for symbolic model checking. [13] presents BDD- 
based algorithms for generating counterexamples ("error traces") for both 
language containment and fair CTL model checking. Game-based model 
checking |23^ [20] provides a method for extracting counterexamples from a 
model checking run. The core idea is a coloring algorithm that colors nodes 
in the model-checking game graph that contribute to violation of the formula 
being checked. 

The idea of generating a propositional formula from a model checking 
problem was presented in [6]. That paper considers LTL specifications and 
bounded model checking: given an LTL formula /, a propositional formula 
is generated that is satisfiable iff / can be verified within a fixed number 
k of transitions along some path (E/). By setting / to the negation of 
the required property, counterexamples can be generated. Repair is not 
discussed. 

Some authors |16[ [22l [2T] have considered algorithms for solving the 
repair problem: given a program (or circuit), and a specification, how to 
automatically modify the program (or circuit), so that the specification is 
satisfied. There appears to be no automatic repair method that is (1) com- 
plete (i.e., if a repair exists, then find a repair) for a full temporal logic (e.g., 
CTL, LTL), and (2) repairs all faults in a single run, i.e., deals implicitly 
with all counterexamples "at once." For example, Jobstmann et. al. [16] 
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considers only one repair at a time, and their method is complete only for 
invariants. In [21], the approach of [16] is extended so that multiple faults 
are considered at once, but at the price of exponential complexity in the 
number of faults. 

In [7] the repair problem for CTL is considered and solved using adduc- 
tive reasoning. The method generates repair suggestions that must then be 
verified by model checking, one at a time. In contrast, we fix all faults at 
once. 

Antoniotti [2] has shown that the related problem of discrete event su- 
pervisory control is also NP-complete. 

The rest of the paper is as follows. Section [2] provides brief technical pre- 
liminaries. Section [3] is the core of the paper: it presents our model repair 
method for CTL in detail, discuses how the method is modified to handle 
ATL. Section [J] presents the various extensions discussed above. Section [5] 
presents several example applications of the method. Section [6] discusses 
our implementation, including experimental performance data. Section [7] 
discusses future work and concludes. Appendix |A] presents a manual sim- 
plification of an example repair formula, Appendix [B] provides proofs for all 
theorems, and Appendix [Cl provides full technical preliminaries. 

2 Preliminaries 

We assume basic of knowledge of CTL and ATL [I]. The logic CTL 

is given by the following grammar: 

ip ::= true j false | p \ -k^ | A | V | AXip \ EX(p \ A[ip\/ip] \ E[ip\/ip] 

where p G AV, a set of atomic propositions. The semantics of a CTL formula 
are given with respect to a Kripke structure M = (sq, S, R, L) where sq is 
the start state, S" is the set of states, R Q S x S is the transition relation 
and L : S t-^ 2-^^ is the labeling function. We use M \= (p to abbreviate 
M, So \= V?. We use the abbreviations A[(/)U'i/'] for -iE[-i(/5V-i'0], E[(/)UV'] for 
^Ahv'V^V], AFyj for A[trueU(/?], Ef(p for E[trueU(/9], AGy? for A[falseVvj], EG(p 
for E[falseV(/3]. 

Definition 1 (Formula expansion). Given a CTL formula ip, its set of 

suhformulae sub{ip) is defined as follows: 

• sub{p) = p where p is true, false, or an atomic proposition 

• sub{-^ip) = U sub{ip) 
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• sub{ip A i/j) = {if Alp} U sub{ip) U sub{ip) 

• sub{ip V ijj) = {ifV ip} U sub{ip) U sub{ip) 

• sub{AXip) = {AX(/?} U sub{ip) 

• su6(EX(^) = {EXip} U sm6((^) 

• s«6(A[(^VV']) = {A[99VV'], AXA[(^VV'],v?VAXA[¥5VV'],V'A(93VAXA[v9VV'])}U 

sub{(p) U sub{'ilj) 

• sn5(E[(^VV']) = {E[(^V^],EXE[(^V^],(^VEXE[(^V^],V'A(v?VEXE[(/?VV'])}U 

sub{ip) U sub{ip) 

The logic ATL is given by the foUowing grammar: 

::= true | false | p \ -199 |(^A99|(^V(^|^A» Xip \<^A^ VP^'f\ 

where p G AV, ^ C S. S denotes the set of players. ^^^99 holds iff the 
players in A have a collective strategy to enforce the truth of (p. 

3 The Model Repair Problem 

Given Kripke structure M and a specification formula 93, we consider the 
problem of removing parts of M, resulting in a substructure M' such that 
M' ^ if. 

Definition 2 (Substructure). Given a Kripke structure M = (sq, S, R, L) 
and a structure M' = (sq, 5", R' , L') we say that M C M' iff S ^ S' , sq = s'q, 
R' C R, and L' = L \ S' . 

Definition 3 (Repairable). Given Kripke structure M = (sq, S, R, L) and a 
formula r]. M is repairable with respect to r] if there exists a Kripke structure 
M' = (s'q, S', R', L') such that M' is total, M' C M, and M' , sq ^ r]. 

Recall that a Kripke strucutre is total iff every state has at least one 
outgoing transition. 

Definition 4 (Model Repair Problem). Given a Kripke structure M = 
{sq, S, R, L), and a formula r], the repair problem is to decide if M is re- 
pairable with respect to i]. 

The model repair problem is defined for any temporal or modal logic for 
which the |= relation is defined, e.g /_f-calculus , CTL*, CTL, etc. So, for 
example, we speak of the model repair problem for CTL (CTL model repair 
for short). An instance of model repair is then the pair (M, (/?). 
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3.1 Complexity of the Model Repair Problem 
Theorem 1. The model repair problem for CTL is NP-complete. 

Corollary 1. Let L be any temporal logic interpreted in Kripke structures 
such that (1) model checking for L is in polynomial time, and (2) there exists 
a polynomial time reduction from CTL model checking to L model checking. 
Then the model repair problem for L is NP-complete. 

An immediate consequence is that model repair for alternating-time tem- 
poral logic (ATL) is NP-complete. 

3.2 CTL Model Repair using SAT solvers 

Given an instance of model repair {M,rj), where M = (sq, S, R, L) and rj 
is a CTL formula, we define a propositional formula repair {M, rj) such that 
repair {M,rj) is satisfiable iff {M,r]) has a solution, repair (M,ri) is defined 
over the following propositions: 

1. Es,t : {s,t) G R 

2. Xs^^i, : s G S, ^ G sub{r]) 

3. : s G S", < n < l^j, and G sub{r]) has the form A[ip\/ip'] or 

The meaning of Eg^t is that the transition (s, t) is retained in the fixed 
model M' iff Eg^t is assigned tt ("true") by the satisfying valuation V for 
repair (M, rj). The meaning of Xg^^ is that -i/' holds in state s. X^^ is used to 
propagate release formula (AV or EV) for as long as necessary to determine 
their truth, i.e., \S\ in the worst case. 

A solution for satisfiability of repair {M,rj), e.g., as given by a SAT 
solver, gives directly a solution to model repair. Denote this solution by 
model{M,V). Then mode/ (M, V) = {s'^, S' , R' , L'), where R' = {(s, t)|V(^s,t) = 
tt}, S' consists of all states reachable from sq via paths of transitions in R' , 
and L' = L \ S' . Note that model{M,V) does not depend directly on i]. 

Essentially, repair{M,i]) encodes all of the usual local constraints, e.g., 
AXip holds in s iff holds in all successors of s. We modify these however, 
to take transition deletion into account. So, the local constraint for AX 
becomes AXf holds in s iff 93 holds in all successors of s after transitions 
have been deleted (to effect the repair). More precisely, instead of Xg /^xip = 
/\t\s-^t^t,ip, we have Xs^ax^ = /\t\s^ti^s,t =^ Xt^^). Here s ^t abbreviates 
(s,t) G R. The other modalities (EX, AV, EV) are treated similarly. We deal 
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with AU, EU by reducing them to EV, AV using duahty. We require that the 
repaired structure M' be total by requiring that every state has at least one 
outgoing transition. 

Definition 5 {repair (M , r])) . Let M = (sq, S, R, L) be a Kripke structure 
and r] a CTL formula. Let s — > i abbreviate {s,t) G R. repair{M,rj) is the 
conjunction of all the propositional formulae listed below. These are grouped 
into sections, where each section deals with one issue, e.g., propositional 
consistency. s,t implicitly range over S. Other ranges are explicitly given. 

M' satisfies r]: Xsq^t} 

M' is total, i.e., each state has an outgoing transition 
for all s e S : Vt|s^t Es,t 

Propositional labeling 

for all p G AV n L{s): Xs,p 
for all p G AV - L{s) : -^Xs,p 

Propositional consistency 

for all -^ip G sub{r]): Xg^^^ = -^Xg^^p 

for all LfV tp e sub{r]): Xg^^pv^p = Xg^^ V Xg^^ 

for all Lf Alp e sub{r]): Xg^^^^ = Xg^^ A Xg^^ 

Nexttime formulae 

for all AXif G sub{7]): Xg^^x^ = At|s_>t(-E's,t =^ Xt^^) 

for all EX93 G sub{i]): Xg^^^^ = Vt|s-.t(-^s,t ^t,v) 
Release formulae. Let n = \S\, i.e., the number of states in M . 

for all k[>.p\l^] G su6(??); X.^ai^^v^] = ^s"a[^vv] 

for all A[(/?V'(/'] G sub{rj), m G {l...n}: 

for all AlfVi;] G sub{i]): ^°a[¥.v,/,] = ^s,^; 
for all EiifVil^] G sub{r]): X,^e[¥>v^] = ^s,E[^V4,] 
for all E[ip\/ip] G sub{rj), m G {l...n}; 

for all E[99V^] G sub{ri): ^°e[¥>v^] = 

We handle the releases V" modality [i^yip] as follows. Along each 
path, either (1) a state is reached where [v^V-i/;] is discharged {(p Aip), or 
(2) ['~p\/^p] is shown to be false {^ip A -^tp), or (3) some state eventually 
repeats. In case (3), we know that release also holds along this path. Thus, 
by expanding the release modality up to n times, where n is the number 
of states in the original structure M, we ensure that the third case holds 
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if the first two have not yet resolved the truth of {ipy-ip) along the path in 
question. To carry out the expansion correctly, we use a version of ^s.aIi/jVi/"] 
that is superscripted with an integer between and n. This imposes a "well 
foundedness" on the -^™a[^vV'] propositions, and prevents for example, a 
cycle along which ip holds in all states and yet the -^s,A[(pVV'] assigned 
false in all states s along the cycle. 

Note that the above requires all states, even those rendered unreachable 
by transition deletion, to have some outgoing transition. This "extra" re- 
quirement on the unreachable states does not affect the method however, 
since there will actually remain a satisfying assignment which allows un- 
reachable state to retain all their outgoing transitions, if some M' C M 
exists that satisfies r]. For s unreachable from sq in M', assign the value to 
Xg^^p that results from model checking M',s \= ip. This gives a consistent 
assignment that satsifies repair {M,r]). Clearly, Xg^ip does not affect Xsq^^ 
since s is unreachable from sq. 

In each state s € S, there are 0(|?y| x formulae to check, each of which 
has length 0{d), where d is the maximum number of succesors that any state 
in S has. The sum of lengths of all these formulae is 0{\ri\ x \S\'^ x d). The 
propositional labelling formulae add OdS*! x length, and so the size 

of repair{M,ip) is 0{\r]\ x \S\'^ x d-l- l^] x |.4P|), and so is polynomial in the 
size of {M,r]). Clearly, repair[M,rf) can be constructed in polynomial time. 
Figured] presents our model repair algorithm, Repair(M, 99), which we show 
is sound, and complete provided that a complete SAT-solver is used. Recall 
that we use model{M, V) to denote the structure M' derived from the repair 
of M w.r.t. 7?, i.e., M' = {s'g, S' , R' , L'), where R' = {{s,t)\V{Es,t) = tt}, 
S' consists of all states reachable from sq via paths of transitions in R', and 
L' = L\ S'. 

Theorem 2 (Soundness). Let M = (sq, S, R, L) be a Kripke structure, r] a 
CTL formula, and n = \S\. Suppose that repair [M^rj) is satisfiable and that 
V is a satisfying truth assignment for it. Let M' = model {M,V), Then for 
all reachable states s € 5' and CTL formulae ^ G sub{r]): 

V{Xs,^) = tt iffM', s^£, and 

for m G {l...n} : V{X^^^) = tt iffM',s h 6 

Corollary 2 (Soundness). //Repair(M, r/) returns a structure M' = (sq, S',R', L'), 
then (1) M' is total, (2) M' C M, (3) M',so ^ r], and (4) M is repairable. 

Theorem 3 (Completness). If M is repairable with respect to r] then Repair(M, t]) 
returns a Kripke structure M" such that M" is total, M" C M, and M" , sq N 
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Since M' results by removing transitions and unreachable states from 
M, the relation mapping each state in Af to "itself" in M is a simulation 
relation [13] from M' to M. Hence the following, where ACTL* [13] is the 
universal fragment (no existential path quantifier) of CTL*, and clause (2) 
follows from |13| . 

Proposition 1. // Repair(M, r/) returns a structure M' , then (1) there is 
a simulation relation from M' to M, and (2) for all ACTL* formulae f , 
M \= f implies M' \= f . 



Repair(M, r/): 

model check M, sq\= rj; 

if successful, then return M 

else 

compute repair {M,r]) as given in Section [3j 
submit repair{M,rj) to a sound and complete SAT-solver; 
if the SAT-solver returns "not satisfiable" then 
return "failure" 

else 

the solver returns a satisfying assignment V; 
return M' = model{M, V) 

Figure 1: The model repair algorithm. 



3.3 ATL Model Repair using SAT solvers 

We adapt Definition [5] for ATL as follows. 

We omit the conjuncts for AX93, EX93, A[ip\/ip], E[lp\/iIj], and add the fol- 
lowing conjuncts. Here a{s) is the player whose turn it is to move in state 
s. 



Nexttime formulae 

for ah Xif G sub{7]) : X,,«^>x^ = 1 * /c^ v \ -t t ^ ^ a 

Release formulae. Let n = \S\ and m € {l...n}. Then, for all <^ A ^ 
[^p\/tp] G sub{r]) we have the following conjuncts: 
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^7!<A>[<p\/^P] = ^s,<4»V^A(X5,<<^<^VVt|5_,t(-E^s,tAX^'"^^^ if cr(s) G A 

As in Definition [5l the above formula encodes the possibihties for val- 
uation of 7] and all its subformulae on M, and the possible substructures 
resulting from deleting transitions from M. We can still reduce until to re- 
lease, since <C^^ [^'U^/'] = <CS — [^(pV^ip] in turn-based synchronous 
games [T7j. 

4 Extensions of the Subtractive Repair Algorithm 

We now present several extensions to the subtractive repair algorithm given 
in the previous section. 

4.1 Addition of States and Transitions 

The subtractive repair algorithm performs repair by deleting transitions, 
with states being implicitly deleted if they become unreachable. Let M = 
(so, 5*, R, L) be a Kripke structure with underlying set of atomic propositions 
AV. By adding some states and transitions to M before performing repair, 
we can end up with a substructure M' that includes some of the added 
states. Thus, we have addiditve repair: repair performed by adding states 
and transitions, 

Let be a finite set of states such that S fl = 0, let be an 
extension of L to S'U5+, and let R+ be a subset of {SU S+) x {SU S+) - R. 
Let = (so, 5* U S^, R U R^, L^)- So, represents the states that are 
added to M, and R~^ represents the transitions that are added. Note that 
added transitions can involve only the original state (S), only the added 
state {S~^), or one state from each of S, S^. We now execute the algorithm 
subtractive repair algorithm of Figure [H i.e., REPAiR(Af r]). 

In practice, the added states and transitions would be determined either 
manually, by the user of the repair tool, or mechanically using heuristics. 
While it seems possible to modify the repair formula directly to accommo- 
date state/transition addition (e.g., by introducing new propositions for the 
added states and transitions), doing so does not seem to be any better than 
adding to the structure M and then regenerating the repair formula using 
the existing Definition O Note that proposition [T] no longer holds when we 
add states and transitions. 
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4.2 Discrete Event Supervisory Control 



In the well-know discrete event supervisory control problem (DESC) |18tll9j. 
a Kripke structure is given in which the transitions are labelled as "con- 
trollable" and "not controllable". The problem is to delete (disable) only 
controllable transitions so that the resulting structure satisfies a property, 
e.g., expressed in CTL. We easily subsume DESC when the property is ex- 
pressed in CTL as follows. Conjoin to the repair formula Repair(M, r]) 
the transition propositions Eg^t for all uncontrollable transitions s — > t. 
Thus, we submit the following formula to the SAT solver: Repair(M, t]) A 
)is uncontrollable -^^i*)' The resulting assignment produced by the SAT 
solver must then assign tt to all Eg^t for all uncontrollable transitions s ^ t, 
and so none of these transitions are deleted. By Theorem [3] (completeness), 
our repair method will then find a solution that involves deleting only con- 
trollable transitions, if such a solution exists. Thus, we subsume the discrete 
event supervisory control problem. 

4.3 Generalized Boolean Constraints on Transition and State 
Deletion 

The reduction given above used only simple conjunctions of Eg^t proposi- 
tions. We can conjoin arbitrary boolean formulae over the Eg^t to Repair(M, rj), 
e.g., Eg^t = Egi^fi A Egi^fi = Eg"^t" adds the constraint that either all three 
transitions s — > t, s' — > t', s" t" are deleted, or none are. This is useful 
in enforcing atomic read/write semantics in shared memory, as discussed 
below. 

We can also add constraints on deleting states as follows. We can intro- 
duce a proposition Ng (N for "node") for each each state s with meaning 
that s is retained in the final model iff Ng is assigned tt. We now modify the 
clause for M' being total to: for all s G S : Ng =^ Vt|s->i ^s,t, and we add 
as conjunct: for all s e S : -^Ng =^ {f\t\s^t ~^^s,t) A {f\t\t->s ~^^t,s), that is, 
a nondeleted state must have some outgoing transition, and a deleted state 
has no transitions, either incoming or outgoing. 

Suppose we have a Kripke structure for two processes Pi and P2 exe- 
cuting some protocol, e.g., mutual exclusion. We can both fix the protocol 
and require the result to be symmetric in Pi and P2 (i.e., the code for P2 
results from interchanging the process indices 1 and 2 in the code for Pi 
[3]) by adding the conjunct A'^s = Nf for every pair of symmetric state s,t, 
i.e., such that t results from s by interchanging the process indices 1 and 2, 
and likewise for symmetric transitions (start and end states are symmetric). 
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Thus, we can check for the existence of symmetric concurrent algorithms. 
Note that these more general constraints cannot be dealt with by discrete 
event supervisory control, which only allows to specify individual transi- 
tions as controllable or not, and does not allow relating the deletion of one 
transition to the deletion of another. 

4.4 Concurrent Program Repair 

We now extend our approach to the repair of shared memory concurrent 
programs P = Pi \\ ■ ■ ■ \\ Pk, where processes atomically read, write one 
shared variable at a time. We provide repair w.r.t, CTL specifications. We 
partition AV into AVi, . . . , AVk, where AVi consists of the atomic propo- 
sitions that can only be written by Pi (but can be read by other processes). 
There are also shared variables xi, . . . , Xm (with finite domains) that can be 
read and written by all processes. 

We use the atomic read/write notation introduced in [U [5] for atomic 
read/write programs. Each process Pi is a synchronization skeleton [llj . 
i.e., a directed graph where the nodes are local states that determine a truth 
assignment for the propositions in AVi, and the arcs between nodes are 
labeled with guarded commands; the guard reads atomic propositions of 
other processes and shared variables, the body is a parallel assignment that 
updates shared variables. 

The atomic propositions in AVi are consolidated into a single variable 
Li (the "externally visible location counter") owned by Pi (i.e., written by 
Pi and read by other processes), so that the value of Lj in Si is the set of 
all propositions in AVi that hold in Si. Li provides incomplete information 
to other processes about the current local state of Pi: when Pi writes to 
Li, its change of local state is visible to other processes. When Pi writes 
to a shared variable x, or reads, then its change of local state is not visible 
to other processes. Since Lj encodes location information, a single machine 
word is usually sufficient to store Lj. 

{si,B — > A,ti) denotes an arc in P, from local state Si to local state ti 
that is labeled with guarded command B ^ A. The restrictions to atomic 
read/write syntax (cf. Definition 3.1.4 in j5]) are that each arc (sj, B ^ A, ti) 
of Pi is either: 

- unguarded and single-writing: there is no guard (i.e., B is "true") and A 
either writes to Li (i.e., Li has different values in Sj and ti, so its value 
in ti must be written into it by A) or it writes to a single shared variable 
X (i.e., has the form x := c, where c is a value from the domain of x, in 
which case Li must have the same value in Sj and ti,). 
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- single-reading and nonwriting: there is no assignment (i.e., A is "skip"), 
Li has the same value in Si and tj, and B has the form Qj S Lj where 
Qj G APj, j ^ i or the form x = c. We cah such a form for B a simple 
term. 

A global state s is a tuple (si, . . . , Si^, . . . , where Sj is the current 
local state of Pi, and is the current value of shared variable xj. We write 
s \ i for the component of s that gives the local state of Pi. 

An arc arc = {si, B ^ A, ti) of Pi is enabled in global state s iff s \ i = Si 
and s{B) = true. Execution of {si,B — > A, tj) in a global state s where it 
is enabled generates a transition s'^t, where t results from s by changing 
the local state of Pi from Si to ti , and changing the value of x to c if A has 
the form x := c. In general, an arc can be enabled in several global states. 
In the global state transition diagram M generated by execution of P, the 
set of all transitions generated by a single arc is called a family. We label 
every transition by the name of the family that it belongs to. Two different 
families do not intersect, since their transitions have different labels, even if 
the transitions have the same "effect" on the global state. This makes the 
technical development more convenient and does not cause loss of generality. 
Thus, the set of transitions in M is partitioned into families. 

Let P be a shared memory atomic read/write concurrent program, and 
r] a CTL specification for P. We generate the global state transition dia- 
gram M = (sq, S, R, L) of P. Suppose that repair{M,ri) has a satisfying 
assignment V, and that V{Es^t) = ff for some transition {s,t) in M. Let 
J- be the family that (s,t) belongs to, and Pi be the process in which the 
arc arc generating T occurs. To preclude executing arc in global state s, 
the repaired Pi must detect that s is actually the current global state (and 
then not execute arc). This requires that Pi read enough externally visible 
location counters Lj,j ^ i, and shared variables, so that it can determine 
a pattern of assignment of values to these that is unique to s. In general, 
this may require that Pi read several location counters and shared variables 
atomically. 

We now have two cases, depending on arc. First, suppose that arc is 
unguarded and single-writing. Then we cannot modify arc to read any in- 
formation without violating the atomic read/write syntax restriction (ef- 
fectively, arc becomes a test-and-set operation). We are thus left with 
two options: either make s unreachable, by deleting other transitions, or 
delete all the transitions in T. This can be expressed as (A(s t)e:F'(~'-^«.t ^ 
-ir^)) V (A(s t)G:F ~'^s,t)) where is the "reachability" proposition given in 
Definition [5j The first disjunct states that deletion of (s, t) requires that 
s be unreachable. The second disjunct states that all transitions in are 
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deleted. We add the above as a conjunct to repair{M,rj). 

The second case is that arc = {si,B A,ti) is single-reading and non- 
writing. Since B holds in s, the repair cannot allow B to continue being 
used as the guard for arc, unless s is made unreachable (in which case B 
is never evaluated in s), or the entire family !F is deleted, in which case 
the arc arc is removed from Pi. However, it is possible that a simple term 
other than B could be used to effect a repair, namely one that holds in the 
initial states of all transitions in except for the transition (s,t), i.e., in all 
states s' such that s' / s A 3t' : (s', t') € J^, and also does not hold in any 
other global state. In [5], an algorithm for finding a suitable simple term, if 
it exists, is presented. Essentially, the algorithm checks all possible simple 
terms (their number is 0(|M|)). While our approach is not able to replace 
the guard B by another guard, it is capable of deleting unsuitable simple 
terms, by removing the family corresponding to the arc in which the simple 
term is used as a guard. This encourages an experimental style, where we 
add extra arcs to the synchronization skeletons in the initial program, if we 
think they may contain suitable guards. Since this does not increase the 
number of local states of any process, nor the number of shared variables, 
the number of global states is unaffected. Thus, we could even add arcs for 
every possible simple term. Note however that Proposition [T] could be vio- 
lated, as the additional arcs may induce additional transitions in M' that are 
not simulated by M. The conclusion of the preceding discussion is that we 
use the same idea for repair as we did for the unguarded and single-writing 
case, namely add (A(s,4)Gjc-(-'-E's,t ^ ^Tg)) V (/\(^^^)gjr -i^s,*), a conjunct to 
repair (M, rj), with the possibility that we add "extra arcs" before repairing, 
to increase the possibilities for the repair. 

5 Examples 

5.1 Simple Example for CTL Model Repair 

Consider the model in Figure[2]and the formula rj = (AGpVAGg) AEXp. Man- 
ual simplification of repair{M, rj) yields X^^^ = ^Eg^t^Es^u, so Repair(M, ry) 
will remove the edge (s, t) as shown. Our implementation produces the fol- 
lowing truth assignment: 

A_A_A & s_u & ~s_t & u_s & t_s & ~u_5_0 & ~t_l_0 & s_10_0 & s_7_0 & 
s_9_0 & s_0_0 & ~t_4_0 & ~s_5_0 & ~u_l_0 & ~s_6_0 & t_2_0 & ~u_2_0 & 
t_0_0 & ~s_l_0 & ~t_3_0 & s_2_0 & s_8_0 & u_4_0 & ~s_3_0 & t_5_0 & 
u_3_0 & s_4_0 & u_0_0 
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Figure 2: Input Kripke structure. 

The variable s_t represents the edge from s to t, etc. Note that s_t is 
negated, indicating an assignment of ff, i.e., the edge should be deleted, as 
required. 

We also ran our implementation with repair formula AXp A AX-ip. As 
expected, it returned "unsatisfiable," indicating that no repair exists. 

5.2 Barrier Synchronization Problem Repair 

In this problem, each process Pi is a cyclic sequence of two terminating 
phases, phase A and phase B. Pii, [i G {1, 2}), is in exactly one of four local 
states, SAi^EAi, SBi, EBi, corresponding to the start of phase A, then the 
end of phase A, then the start of phase B, and then the end of phase B, 
afterwards cycling back to SAi. The CTL specification is the conjunction 
of the following: 

1. Initially both processes are at the start of phase A: SAi A 5*^2 

2. Pi and P2 are never simultaneously at the start of different phases: 

AG(-(5^i A SB2)) A AG(-(5^2 A SBi)) 

3. Pi and P2 are never simultaneously at the end of different phases: 

AG{^{EAi A EB2)) A AG{^{EA2 A EBi)) 
(2) and (3) together specify the synchronization aspect of the problem: Pi 
can never get one whole phase ahead of P2 and vice-versa. 

The structure in Figure [3] is repaired by removing edges and states that 
cause the violation of the synchronization rules (2) and (3 jl] Our implemen- 
tation produced exactly this repair. The repair formula in CNF contained 
236 propositions and 401 clauses. 

^Note that the bottom [5yliS'yl2] state is the same as the top state, and is 

repeated only for clarity of the figure. 
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Figure 3: Barrier synchronization repair. 



6 Implementation of the Repair Method 

We implemented the method in Python. Our implementation takes a Kripke 
structure M and CTL formula t] as input, generates repair(M,rj) as given 
by Definition [5l converts it to CNF, and then invokes the SAT solver zChaff. 
The implementation is available at |http : / / www . cs . aub . edu . Ib/pa07/ pca/Eshmun . html 

Table [1] gives performance figures for our implementation, running on 
a PC with Pentium 4 CPU at 3.00GHz, and 512MB RAM. For M, we 
generated transitions graphs randomly, specifying the number of nodes 
and the probability P that there is a transition from some given node to 
some other given node. We used a constant probability P = 0.1. In M, we 
used AV = {p, q}, and the propositional labels were generated randomly for 
each state. 
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We show the number of propositions and clauses in the CNF form of 
repair {M , rj) , and the total time our implementation takes to produce a 
satisfying assignment. This shows a typically expected increase with the 
number of nodes in the graph. 

For N = 20, 30 we used rj = AXA[pV(?] A EXq. For iV = 40 to 80, we used 
rj = /K[p\/q]. 

Table 1: Model Repair Results 



N 


Propositions 


Clauses 


Time 


30 


309 


3506 


2.437s 


40 


449 


3986 


3.563s 


50 


608 


13909 


9.228s 


60 


781 


47665 


31.223s 


70 


993 


106136 


lm52.231s 


80 


1183 


174107 


3ml7.140s 



7 Conclusions 

We presented a method for repairing Kripke structures and concurrent pro- 
grams so that they satisfy a CTL formula r], by deleting transitions that 
"cause" violation of rj. Our method is sound, and is complete relative to our 
transition deletion strategy. We address the NP-completeness of our model 
repair problem by translating it (in polynomial time) into a propositional 
formula, such that a satisfying assignment determines a solution to model 
repair. Thus, we can bring SAT solvers to bear, which leads us to believe 
that our method will apply to nontrivial structures and programs, despite 
the NP-completeness. Unlike other methods, ours both fixes all counterex- 
amples at once, and is complete for temporal properties, specifically full 
CTL. We extended our method in various directions, to allow addition of 
states and transitions, to solve discrete event supervisory control, and to 
repair shared memory concurrent programs. We also provided experimental 
results from our implementation. 

Future work includes application of our implementation to larger exam- 
ples and case studies, and extension to hierarchical Kripke structures. Our 
implementation is useful in model construction, where it provides a check 
that the constructed structure contains a model. 
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A Manual Simplification of the Repair Formula of 
the First Example 

We show how repair {M,r]). for our first example in Section [5] is simplified 
manually. We omit the clauses dealing with reachability. 

^s,r] = Xs,(AGpVACq)AEXp 
^s,(AGpVAGg)AEXp = ^s.AGpVAGg A ^s,EXp 
Xs,AGpV/KGg = ^s,AGp V Xg^AGq 
We start by solving for X^^AGp- 
-'^s.AGp = Xs,AGp 



s,AGp = ^^s,p /\ \^s,t ^^t,AGp' " y^^'U ^^u,AGp! 

IaGp = ^t,p A {Et,s ^l,AGp) 

«,AGp = ^",P ^ i^u,s -'^l^AGp) 

^,AGp = ^^,P ^ i^s,t X^A^p) A {Es^u ^°,AGp) 



^ilAGp = ^t,P = ff 
^°,AGp = ^u,p = tt 

By replacing Xg^p etc. by their truth values, we can simplify the above as 
follows. It is more intuitive to work "bottom up" 

^i,AGp = ^^s,t 

^u,AGp = {^u,s X^ j^Qp) 



u,AGp — -^".s ^ ^-^s,t 
^s,AGp = ^^s,t A {Es,u X^ AQp) 

■^s,AGp = ^^s,t A [Eg^u =^ {Eu,s =^ ~'Es^t)) = ~'Es,t 



Xs,AGp = ^Es^t 

Symmetrically, we have: 

-''^s.AGg = ^Eg^u 

It remains to solve for Xg^EXp- 

Xs,EXp = {Es,t A Xt^p) V {Es^u A Xu,p) 
By replacing Xf^p and Xu,p by their values we get: 

Xs,EXp = {Es,t A V \Es,u a tt) = Es,a 

Therefore, we now can solve for Xs^-q producing: 
Xs,77 = (~'-E's,t V ~^Es^u) A Es^u = ~'-E's,t A Eg^u 

The above solution implies that Repair(M, t/) will remove the edge (s, t) 
and all the resulting unreachable states as shown in figure [2j 

Note that for r] = {AGp V AGg), we obtain X^^^ = {~>Es^t V —'Eg^u), which 
admits two satisfying valuations, i.e., removing either (s, t) or (s, u) produces 
the needed repair. 
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B Proofs 



B.l Proof of Theorem [T]. 

Proof. Let (Af , rj) be an arbitrary instance of the CTL model repair problem. 

NP-membership: Given a candidate solution M' , the condition M' C M 
is easily verified in polynomial time. M' , sq \= r] is verified in linear time 
using the CTL model checking algorithm of [8] . 

NP-hardness: We reduce 3SAT to CTL model repair. 

Given a Boolean formula / = Ai<i<n("« V 6j V Cj) in 3cnf, where Oj, bi, ci 
are literals over the a set xi, . . . , Xm of propositions, i.e each of ai,bi,Ci is Xj 
or -iXj, for some j E 1 . . . m. We reduce / to (M, t]) where M = (sq, S, R, L), 
S = {so,si, . . . ,Sm,ti, . . . ,tm}, and R = {(so,si), . . . , (so,Sm), ■■■ ,{Sm 

i.e., transitions from sq to each of si, . . . , s^, and a transition from each Si 
to ti for i = l,...,m. The underlying set AV of atomic propositions is 
{pi, . . . qi, . . . , Qm}- These propositions are distinct from the xi, . . . , Xm 
used in the 3cnf formula /. L is given by: 

• L{so) = 

• L{sj) = pj where 1 < j < m 

• L{tj) = Qj where 1 < j < m 
r] is given by: 

l<i<n 

where: 

• if Oj = Xj then ipj = AG(pj ^ EXgj) 

• if ttj = -iXj then tpj = AG{pj =^ AX^qj) 

• if 6i = Xj then (/?^ = AG{pj EXf/j) 

• if 6i = -iXj then 93? = AG{pj AX^qj) 

• if Cj = Xj then 93? = AG{pj =^ EX^j) 

• if Cj = -iXj then 93? = AG{pj ^ AX^qj) 

Thus, if a]^ = Xj, then the transition from Sj to ti (which we write as Si —>■ U 
must be retained in M' , and if Oj = -iXj, then the transition Si — > must 
not appear in M' . It is obvious that the reduction can be computed in 



21 



polynomial time. 

It remains to show that: 

/ is satisfiable iff (M, rj) can be fixed. The proof is by double implication. 

/ is satisfiable implies that {M,r]) can be fixed: Let V : {xi, . . . ,Xm} ^ 
{tt,jj} be a satisfying truth assignment for /. Define R' as follows. R' = 
{{sQ,Si),{si,Si),{ti,ti) I 1 < i < m}U{{si,ti) I V{xi) = tt}, i.e., the tran- 
sition Si ti is present in M' if V(xj) = tt and Sj ti is deleted in M 
if V(xj) = F. We show that M',sq \= i]. Since V is satisfying assignment, 
we have Ai<j<n.("'^("i) ^i^i) V V(cj)). Without loss of generality, assume 
that V(aj) = tt (similar argument for V(6i) = tt and V(cj) = tt). We have 
two cases. Case 1 is aj = xj. Then V{xj) = tt, so {sj,tj) G R' . Also since 
Oj = Xj, ifj = AG(pj =^ EX(7j). Since {sj,tj) € i?', M',so |= ^j- Hence 
M',so \= T]. Case 2 is = ^xj. Then V{xj) = ff, so {sj,tj) ^ i?'. Also 
since aj = -iXj, 99]^ = AG{pj AX^qj). Since {sj,tj) , M', sq |= (/^j. 
Hence M', sq ^ 

/ is satisfiable follows from (M, r/) can be fixed: Let M' = {s'q, S', R' , L') 
be such that M' C M, -/Vf',so H ^- We define a truth assignment V as 
follows: V{xj) = tt iff {sj,tj) G i?'. We show that V(/) = tt, i.e., V{ai) V 
V(6i) VV(ci) for ah i = 1 . . . n. Since M, sq ^ r/ we have M, sq [= (/J • V tpj V (/^f 
for all i = 1 . . . n. Without loss of generality, suppose that M, sq |= 9?^ 
(similar argument for M, sq ^ 9?^ and M, sq ^ We have two cases. 

Case 1 is = Xj. Then Lp\ = AG{pj =^ EXgj). Since M',so \= ipj, we 
must have {sj,tj) G R' . Hence V{xj) = tt by definition of V. Therefore 
V{ai) = tt. Hence V{ai) V V{bi) V V(ci). Case 2 is Oj = -'Xj. Then c/p]^ = 
AG(pj =^ AX^Qj). Since M',so \= -^^\, we must have {sj,tj) i?'. Hence 
V(xj) = #. Therefore V(ai) = tt. Hence V(ai) V V(fei) V V(ci). □ 

B.2 Proof of Corollary [H 

Proof. NP-membership: guess the substructure M' of M and then check 
M \= rj in polynomial time using a polynomial time model checking algo- 
rithm. 

NP-hardness: use the reduction from 3SAT to CTL model checking given 
in the proof of Theorem [U and then use the assumed reduction to L model 
checking. □ 

B.3 Proof of Theorem [H 

Proof. We proceed by induction on the structure of ^. We sometimes write 
ViXs,^) instead of V{Xs,^) = tt and --V{Xs,^) instead of V{Xs,^) = ff. 
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Case ^ = 
V(X,,^) = tt iff 

V{Xs^^,p) = tt iff (by prepositional consistency clause of Definition [5|) 
V{Xs^ip) = jj iS (by the induction hypothesis) 
not{M',s \= if) iff 
M',s \= -^if iff 

Case ^ = ifVip: 
V(X^,^) = tt iff 

V(-^s,(^v?/') = it iff (by propositional consistency clause of Definition [5]) 
V{Xs^ip) = tt or V{Xs^^(,) = tt iff (by the induction hypothesis) 
{M',s \= if) or (M',sV V') iff M',s ^ v9 V V iff M',s ^ ^ 

Case = if Atp: 
V{Xs,^) = tt iff 

V{Xs^ip^^) = tt iff (by propositional consistency clause of Definition [5]) 
V{Xs^^) = tt and V{Xs^^) = tt iff (by the induction hypothesis) 
(M', s^^) and (M', s V V') iff « N A iff Af, s ^ ^ 

Case ^ = AX(/5: 
V(X^,g) = tt iff 
V(X,'ax^) = tt iff 

At|.^iV(ii;.,t^Xi,^) = tt iff 

At\s~^t '^i^s,t) = tt ^ V{Xt^,p) = tt iff (since s is reachable by assumption, 
Eg^t implies that t also reachable, and apply the induction hypothesis) 
/\^^^^,{s,t)eR'^M',t^^iS 
M',s \=AXip iff 

Case ^ = EX(p: 
V(X,,^) = iff 

V{Xs,EX^) = tt iff 

yt^,^tV{E,,t^Xt,^) = tt iff 

\/t\s^t^(^f,t) ~ it ^^i^t,<fi) = iff (since t is reachable from s by assump- 
tion, and apply the induction hypothesis) 
\/t\,_t{s,t) e R' AM',t^ipiS 
M',s \= EXip iff 
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Case ^ = AlipVip]: We do the proof for each direction separatly. 

Left to right, i.e., V{Xg^fi^[^y^]) imphes M',s \= A[ip\/ip]: 
^{Xs,A[^yij]) iff 

V(^:a[^vv.]) iff 

V(X,,^ A {Xs,^ V A,\,^,{Es,t ^ ^."a^v^]))) iff 

(since V is a valuation function, and so distributes over boolean connectives) 
V(X,,^) A (V(X,,^ J V (Ai|,^< V(i?.,i) ^ V(X;;-i^^v^,,))) iff (by the induction 
hypothesis) 

We now have two cases 

1. M', (p. In this case, M', s ^ A[(p\/i'], and so M', s ^ ^. 

2. At|s^,(.,t)Gi?'^v(x;;-[;^^,). 

For case 2, we proceed as follows. Let t be an arbitrary state such that 
{s,t) G R'. ThenViX^-f^^^^). If we show that V(X;;-i^^^,) implies M',s ^ 
A[{p\/ip] then we are done, by CTL semantics. The argument is essentially a 
repetition of the above argument for V{Xg j^[^y^]) implies M',s \= A[ip\/tp]. 
Proceeding as above, we conclude M', t \= ^p and one of the same two cases 
as above: 

However note that, in case 2, we are "counting down." Since we count down 
for n = then along every path starting from s, either case (1) occurs, 
which "terminates" that path, as far as valuation of [ipVip] is concerned, or 
we will repeat a state before (or when) the counter reaches 0. Along such a 
path (from s to the repeated state), holds at all states, and so ['p\/il^] holds 
along this path. We conclude that [ipVip] holds along all paths starting in 
s, and so M',s \= A[ip\/^p]. 

Right to left, i.e., V(Xs ^[(^VV']) follows from M',s \= Alipyip]: 
Assume that M',s \= A[ip\/il)] holds. Hence M',s \= A {M',s \= (f ^ 
At|t^s((^'0 e R' ^ M',t \= A[(/?V?/;])). By the induction hypothesis, 
V(X,,^) A (V(X,,^) V At^t_,{is,t) G R' ^ M',t ^ Ai^VV'])). We now 
have two cases 
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1. V{X, ^ip). Since we have V(Xs^^) A V{Xs,ip) we conclude V{Xs^fi^[^y^]), 
and so we are done. 

For case 2, we proceed as follows. Let t be an arbitrary state such that 
{s,t) e R'. ThenM',t ^ A[^VV']. If we show that ViX^^^'f^^^^) follows from M',f \= 
A[(p\/ip] then we can conclude V(X5^a[(/5VV']) by Definition [5l Proceeding as 
above, we conclude V{Xt^^) and one of the same two cases as above: 

. V(Xt,^), so by Definition El V{X^~l^^^^) holds. 

As before, in case 2 we are "counting down." Since we count down for 
n = \S\, then along every path starting from s, either case (1) occurs, which 
"terminates" that path, as far as establishment of V{Xt^ip) is concerned, or 
we will repeat a state before (or when) the counter reaches 0. Along such a 
path (from s to the repeated state, call it v), ip holds at all states. By Defi- 
nitional X^ f^^^y^^ = Xj;^^. From M',v \= ijj and the induction hypothesis, 

V{Xy^^) holds. Hence -^^^[(pVi/'] '^o^'^^- Thus, along every path starting from 
s, we reach a state w such that V(X™^j^y^j) holds for some m € {0, . . . , n}. 
Hence by Definition [5l V(X5 ^[(pVV']) holds. 

Case ^ = E[(/?V'0]: this is argued in the same way as the above case for 
^ = A[(/?V'i/'], except that we expand along one path starting in s, rather 
than all paths. The differences with the AV case are straightforward, and 
we omit the details. □ 



B.4 Proof of Corollary El 

Proof. Let V be the truth assignment for repair {M, rj) that was returned by 
the SAT-solver in the execution of REPAiR(iVf, rj) . Since the SAT-solver is 
assumed sound, V is actually a satisfying assignment for repair {M , rj) . For 
(1), let u be an arbitrary reachable state in M' . Consider a path from so to u. 
By definition of repair(M, rj), we have V{Es^t) = tt for every transition (s, t) 
along this path. Hence V(V^|u^i) Eu,v) = tt. Hence u has some outgoing 
transition in M' . (2) holds by construction of M' , which is derived from M 
by deleting transitions and (subsequently) unreachable states. For (3), note 
that XsQ^n is a conjunct of repair (M, rf) by definition of repair {M, rf). Hence 
^{XsQ.rj) = tt. Hence, by Theorem [2l M\sq \= rj. Finally, (4) follows from 
(l)-(3) and Definition El □ 
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B.5 Proof of Theorem [E 



Proof. Assume that M is repairable with respect to i]. By Definition [31 
there exists a total substructure M' of M such that M', sq \= r]. We define 
a satisfying valuation V for repair {M,r]) as follows. 

Assign tt to Eg^t for every edge (s,t) G .R' and to every Eg^t for every 
edge (s,t) i?'. Since M' is total, the "M' is total" section is satisfied by 
this assignment. 

Assign tt to ^so.f?- Consider an execution of the CTL model checking 
algorithm of [8] for checking M', sq \= r]. This algorithm will assign a value 
to every formula (p in suh{rj) in every reachable state s of M' . Set V{Xs^ip to 
this value. By construction of the [8] model checking algorithm, these valua- 
tions will satisfy all of the constraints given in the "propositional labeling," 
"propositional consistency," "nexttime formulae," and "release formulae" 
sections of Definition [5l Hence all conjuncts of repair {M,r]) are assigned tt 
by V. Hence V {repair {M,rj)) = tt, and so repair {M , r]) is satisfiable. 

Now the SAT-solver used is assumed to be complete, and so will return 
some satisfying assignment for repair (M,r]) (not necessarily V, since there 
may be more than one satisfying assignment). Thus, REPAiR(Af, r/) returns 
a structure M', rather than "failure." By coroharyEl M" is total, M" C M, 
andM",soN^- D 

C Technical Background 
C.l Computation Tree Logic 

Let AV be a set of atomic propositions, including the constants true and 
false. We use true, false as "constant" propositions whose interpretation is 
always the truth values tt, ff, respectively. 

The logic CTL jll] is given by the following grammar: 

if ::= true j false | p \ -k^ | A | V | AXip \ EX(p \ A[ip\/ip] \ E{ip\/ip] 

where p G AV. 

The semantics of formulae are defined with respect to a Kripke structure. 

Definition 6. A Kripke structure is a tuple M = (sq, S, R, L) where S is a 
finite state of states, sq S is a single initial state, R Q S x S is a transition 
relation, and L : 5 i— > 2-^^ is a labeling function that associates each state 
s € S* with a subset of atomic propositions, namely those that hold in the 
state. 
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We assume that a Kripke structure M = (sq, -S*, R, L) is total, i.e., Vs G 
S, 3s' G S" : (s, s') G i?. A path in M is a (finite or infinite) sequence of 
states, vr = so,si,... such that Vz > : (sj,Sj+i) G i?. A fullpath is an 
infinite path. 

Definition 7. M, s ^ means that formula ip is true in state s of structure 
M and M, s ^ ip means that formula is false in state s of structure M. 
We define \= inductively as usual: 

• M, s \= true 

• M,s ^ false 

• M, s \= p iff p ^ -^(s) where atomic proposition p G AV 
. M,s h-<^ iff M,s^ip 

• M,s \= (p Alp iff M,s \= if and M,s \=ip 

• M,s \= cpy Ip ijf M,s \= (p or M,s \= Ip 

• M, s ^ AXip iff for all t such that (s, t) e R : {M,t) ^ ip 

• M,s \= EX93 iff there exists t such that {s,t) G R and {M,t) \= (p 

• M, s \= A[(p\/^] iff for all fullpaths ir = sq, si, . . . starting from s = sq-' 
Vfc > : (Vj < k : (M, Sj ^ 93) implies M, Sk \= tp 

• M, s 1= ElipVip] iff for some fullpath tt = sq, si, . . . starting from s = sq: 
Vfc > : (Vj < k : (M, Sj ^ 93) implies M, Sk \= tp 

We use M ^ 99 to abbreviate M, sq |= 93. We introduce the abbreviations 
Af^UV'] for ^EhvjV^V], E[(^UV'] for -nA[-np\/^ip], AF99 for A[trueU(^], EF^j 
for E[trueU(/7], AGip for A[falseV(/?], EGv? for E[falseV(^]. 

C.2 Alternating-Time Temporal Logic 

We review Alternating- Time Temporal Logic (ATL)[T]. ATL extends the 
existential and universal quantification over paths of CTL by offering se- 
lective path quantification by a set of players, i.e., paths along which the 
set of players can "enforce" the satisfaction of a formula. In general, ATL 
is interpreted over concurrent game structures where every state transition 
results from each player choosing it's move, and then all players moving 
"at the same time." There are also several kinds of restricted structures in 
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which ATL can be interpreted. Turn-based synchronous games are games 
where in each step only one player makes a move, and the current player 
is determined by the current state. Moore synchronous games are games 
where the state space is partitioned according to the players, and in each 
step, every player updates its own components of the state independently 
of other players. Turn-based asynchronous are games in which in each step 
only one player has a choice of moves and that player is determined by a 
fair scheduler. In this paper we restrict ourselves to turn-based synchronous 
games. The results obtained still apply to other types of games since they 
can be reduced to turn-based synchronous games in polynomial time [1]. 

Let AV be a set of atomic propositions including the constants true and 
false. Let S denote the set of players. The logic ATL is given by the following 
grammar: 

ip ::= true | false | p \ -tip \ ipAip\ip\/ip \<^A^ Xip \<^A^ i^'^^] 

where p € AV, ACT. 

We use M \= Lfto abbreviate M, sq \= ip. We introduce the abbreviations 
[0Ui/'] for ^ <S - ^> hv^V^V], for <C^» [trueU<y9], 

<CA» for <A» [falseV(^]. 

Definition 8 (ATL formula subformulae) . Given an ATL formula ip, its 
subformulae sub[p) is defined as follows: 

• sub[p) := p where p is true, false, or an atomic proposition 

• suh{ip A 'i/') := {v? A 7/;} U sub{p) U sub{tp) 

• sub{ip V ip) := {ipV Tp} U sub{ip) U sub{7p) 

• su6(<^» Xp) := {<^> Xp} U sub{p) 

• su6(<yl> {pMip)) := exp(<^» (v^Vt/;)) U sub{p) U subiip) 

In [1], the semantics of ATL is defined with respect to concurrent game 
structures. Since we consider only turn-based synchronous game structures, 
we provide a (simpler) definition for ATL semantics with respect to turn- 
based synchronous game structures. 

Definition 9. A turn-based synchronous game structure is a tuple M = 
(sq, S, R, L, a) where S is a finite state of states, sq is the single initial state, 
R C S X S is a transition relation and L : S ^ 2"^^ is a labeling function 
that associates each state s G 5 with a subset of atomic propositions, namely 
those that hold in the state, a is the turn function o" : 5 1— > S that maps 
each state to a player (whose turn it is to make a move). 
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We assume that each structure M = (sq, S, R, L, a) is total, i.e., Vs G 
S, 3s' G S" : (s, s') G i?. A path in M is a (finite or infinite) sequence of 
states, TT = so,si,... such that Vi > : (si,Sj+i) G i?. A fullpath is an 
infinite path. 

For a path vr and a position i > 0, we use 7r[i] to denote the ith state of 
TT. A strategy for a player a G S is a mapping fa : S* i-^ S that assigns to 
every finite path vr a successor state s S. Given a state s G 5 and a set 
^ C E of players, an A-strategy Fa = {fa | a G ^4} is a set of strategies, 
one for each player in A. We define the outcomes of from s to be the 
set out{s,FA) of all fullpaths that the players in A can enforce when they 
follow the strategies in Fa, i.e., a fullpath vr = so,si, ... is in out{s,FA) if 
So = s and for all i > 0, if a = 0"(7r[i]) then Sj+i = /a(vr[0, i]). 

Definition 10 (ATL semantics). M,s \= (p means that ip is true in state s 
of game structure M = (sq, S, R, L,a). M,s ^ ip means that formula (p is 
false in state s of game structure M. We define \= inductively as usual: 

• M, s \= true 

• M,s ^ false 

• M, s \= p iff p ^ -^(s) where atomic proposition p G AV 
. M,s h-V' ^ff M,s^ip 

• M,s \= (f Ail^ iff M,s \= if and M,s\=ip 

• M,s \= (fV 4^ iff M,s \= ip or M,s \= tl; 

• M, s |=<C A ^ Xip iff there exists a set Fa of strategies, one for 
each player in A, such that for all fullpaths it G out{s,FA), we have 
M,^[l] 

• M, s A » iff there exists a set Fa of strategies, one for 
each player in A, such that for all fullpaths vr G out{s, Fa): 

Vfc > : (Vj < /c : (M, 7r[j] ^ ip) implies M, 7r[k] \= ^ 
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